Bugtri
Register

Privacy Policy

Last Updated: 27 March 2026

This Privacy Policy explains how Bugtri Ltd ("Bugtri", "we", "us", or "our") collects, uses, discloses, and protects personal information when you access or use the Bugtri website, platform, AI triage systems, and related services (collectively, the "Services").

This Policy is designed to comply with applicable privacy and data protection laws in the United Kingdom, the European Economic Area where applicable, the United States (including California and other state privacy laws), and Australia.

1.   Who We Are

Bugtri Ltd is a company registered in the United Kingdom. We provide an AI-powered vulnerability disclosure and bug bounty email triage platform for small and medium businesses.

For the purposes of UK GDPR and EU GDPR, Bugtri Ltd acts as a data controller in respect of personal information processed through the Website and platform.

2.   Information We Collect

We may collect the following categories of personal information:

  • Identity information (name, job title)
  • Contact information (email address, business address)
  • Account data (login credentials, billing details, connected mailbox metadata)
  • Email content processed through the triage pipeline (vulnerability reports received via your shared mailbox)
  • Technical data (IP address, browser type, device identifiers)
  • Usage data (how you interact with the platform, triage settings, scoring configurations)
  • Communications data (support queries, correspondence)

3.   How We Collect Information

  • Directly from you when you register, subscribe, or contact us
  • Through your connected email mailbox via OAuth (Google Workspace or Microsoft 365)
  • Through platform usage and triage interactions
  • Via cookies and similar tracking technologies
  • From third-party payment processors (e.g. Stripe)

4.   Legal Bases for Processing (UK & EU)

Under UK GDPR / EU GDPR, we process personal data on the following bases:

  • Performance of a contract (providing the triage service you subscribed to)
  • Compliance with legal obligations
  • Legitimate interests (such as platform security, fraud prevention, and service improvement)
  • Consent (where required, including for marketing communications)

5.   How We Use Your Information

  • To provide and operate the triage Services, including processing vulnerability reports from your connected mailbox
  • To sanitise email content before it is sent to AI providers for analysis
  • To deliver triage summary emails and auto-responses
  • To manage your account, billing, and subscription
  • To maintain platform security and integrity
  • To comply with legal and regulatory obligations
  • To improve functionality and user experience

6.   Email Content & Data Sanitisation

Bugtri connects to your shared mailbox via OAuth to read incoming vulnerability reports. Before any report content is sent to a third-party AI provider for analysis, Bugtri strips sensitive data (URLs, IP addresses, email addresses, domains, and custom patterns you define) and replaces them with safe placeholder tokens.

The original unsanitised content is only used to restore tokens in the final triage summary email delivered to your mailbox. You control what types of data are sanitised, and you may configure data retention policies to automatically purge processed content.

7.   United States Privacy Rights

If you are a resident of California or another US state with comprehensive privacy legislation, you may have rights to:

  • Request disclosure of personal information collected
  • Request deletion of personal information
  • Request correction of inaccurate information
  • Opt out of the sale or sharing of personal information
  • Limit use of sensitive personal information (where applicable)

Bugtri does not sell personal information. Where data processing could constitute "sharing" under state law, users may exercise opt-out rights by contacting us.

8.   Australian Privacy Rights

In accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), individuals have the right to:

  • Request access to personal information held about them
  • Request correction of inaccurate or outdated information
  • Make a complaint regarding handling of personal information

9.   Data Sharing & Disclosure

We may share personal information with:

  • AI providers (sanitised report content only, using your own API key)
  • Service providers (hosting, payment processors such as Stripe)
  • Email service providers (for delivering triage summaries and auto-responses)
  • Professional advisers (legal, accounting)
  • Regulatory or law enforcement authorities where legally required

We do not sell personal data.

10.   International Data Transfers

As a global platform, personal data may be transferred to and processed in the United Kingdom, the United States, and other jurisdictions where our infrastructure providers operate.

Where required, we implement appropriate safeguards such as standard contractual clauses and contractual data protection commitments.

11.   Data Retention

We retain personal information only for as long as necessary to fulfil contractual, legal, or legitimate business purposes. Processed email content is subject to the data retention policy you configure in your account settings. You may trigger manual purges or enable automatic data deletion.

12.   Security Measures

We implement appropriate technical and organisational security measures to protect personal information against unauthorised access, alteration, disclosure, or destruction. This includes encryption at rest and in transit, access controls, session management, and regular security reviews.

13.   Your Rights (UK & EU)

Individuals in the UK and EU may have rights to:

  • Access personal data
  • Rectify inaccurate data
  • Erase personal data
  • Restrict processing
  • Object to processing
  • Data portability
  • Withdraw consent where processing is based on consent

14.   Children's Privacy

Our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors.

15.   Changes to This Policy

We may update this Privacy Policy periodically. Updated versions will be published on this page with a revised effective date.

16.   Contact Us

For questions regarding this Privacy Policy or to exercise your rights, please contact us at: